On Thu, 4 Oct 2001, Matt Hempel wrote:
=2E..
> [Default-quick-mode]
>
> DOI=3D IPSEC
> EXCHANGE_TYPE=3D QUICK_MODE
> Suites=3D QM-ESP-3DES-SHA-PFS-SUITE
>
> # Suites
>
> [QM-ESP-3DES-SHA-PFS-SUITE]
> Protocols=3D QM-ESP-3DES-SHA-PFS
>
> # Quick mode protocols
>
> [QM-ESP-3DES-SHA-PFS-XF]
> PROTOCOL_ID=3D IPSEC_ESP
> Transforms=3D QM-ESP-3DES-SHA-PFS-XF
The above section should have been named just 'QM-ESP-3DES-SHA-PFS', i.e
you should skip the trailing '-XF'.
It is a bit dangerous, although perfectly legitimate, to re-use the names
of the autogenerated configuration. The problem, of course, is that typos
are hard to spot and you'll probably end up with a configuration that
isakmpd will accept since the default values are still there, but your
negotiations may fail since you depend on a critical changed value
somwhere. In this case, you most likely fell through to a TUNNEL mode
transform using the "predefined" QM-ESP-3DES-SHA-PFS name.
Actually, in your case you should be able to get by with just the
following (using one of the predef'd values for transport mode IPsec):
[Default-quick-mode]
DOI=3D IPSEC
EXCHANGE_TYPE=3D QUICK_MODE
Suites=3D QM-ESP-TRP-3DES-SHA-PFS-SUITE
and skip the rest, i.e suites, protocols and xform definitions. Note that
the '-TRP' above means transport mode.
Additionally, you may want to tweak
[General]
Default-phase-2-lifetime=3D 1200,60:86400
to match your 'LIFE_PHASE2'...
For more info, read isakmpd.conf(5).
//H=E5kan
--
H=E5kan Olsson <ho@crt.se> (+46) 708 437 337 Carlstedt Research
Unix, Networking, Security (+46) 31 701 4264 & Technology AB